patch

ci: test #135

Workflow file for this run

	name: patch

	on:
	push:
	paths:
	- '*/'
	- '!README.md'
	- '!images/**'
	jobs:
	immunize:
	runs-on: ubuntu-latest
	strategy:
	fail-fast: true
	matrix:
	# images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0', 'mcr.microsoft.com/dotnet/aspnet:7.0.15-alpine3.18', 'docker.io/library/python:3.10.10-alpine3.17',
	#'docker.io/library/golang:1.18.10', 'docker.io/library/node:18.17.1-slim', 'docker.io/library/rust:1.69.0', 'docker.io/library/python:3.5.10-slim']
	images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0',
	'docker.io/library/python:3.13.0a3-bullseye', 'docker.io/library/python:3.11.7-slim-bookworm']

	steps:
	- name: Install Cosign
	uses: sigstore/[email protected]
	with:
	cosign-release: 'v2.2.2'
	# - name: Set up Docker Buildx
	# uses: docker/setup-buildx-action@dedd61cf5d839122591f5027c89bf3ad27691d18

	- name: Generate Trivy Report
	uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
	with:
	scan-type: 'image'
	format: 'json'
	output: 'report.json'
	ignore-unfixed: true
	vuln-type: 'os'
	image-ref: ${{ matrix.images }}

	- name: Check Vuln Count
	id: vuln_count
	run: \|
	report_file="report.json"
	vuln_count=$(jq '.Results \| length' "$report_file")
	echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT

	- name: Set Tag
	id: set_tag
	run: \|
	TAG=$(echo "${{ matrix.images }}" \| grep -oP '(?<=:).*' \| grep -oP '^[^/]+')
	IMMUNIZED_TAG="${TAG}-immunized"
	PATCHED_TAG_SBOM=$(echo "${{matrix.images}}" \| tr '/:' '-')
	echo "PATCHED_TAG=${IMMUNIZED_TAG}" >> $GITHUB_ENV
	echo "PATCHED_TAG_SBOM=${PATCHED_TAG_SBOM}" >> $GITHUB_ENV

	- name: Copa Action
	if: steps.vuln_count.outputs.vuln_count != '0'
	id: copa
	uses: sozercan/copa-action@out-vex
	with:
	image: ${{ matrix.images }}
	image-report: 'report.json'
	patched-tag: ${{ env.PATCHED_TAG }}
	output: ${{ env.PATCHED_TAG_SBOM }}-openvex-report.json

	# - name: list files
	# run: \|
	# ls -al
	# cat test.json
	# sudo cat test.json

	- name: Archive openvex vuln report
	uses: actions/upload-artifact@v4
	with:
	name: ${{ env.PATCHED_TAG_SBOM }}-openvex-report
	path: ${{ env.PATCHED_TAG_SBOM }}-openvex-report.json

	- name: Log into ghcr
	if: steps.copa.conclusion == 'success'
	id: login
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Tag Image for GHCR
	if: steps.login.conclusion == 'success'
	run: \|
	docker tag ${{ steps.copa.outputs.patched-image }} ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}

	- name: Docker Push Patched Image
	id: push
	if: steps.login.conclusion == 'success'
	run: \|
	docker push ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}

	- name: Produce Image SBOM
	uses: anchore/sbom-action@v0
	with:
	image: "ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}"
	artifact-name: ${{ env.PATCHED_TAG_SBOM }}.spdx.json

	- name: Sign image with Cosign
	run: \|
	cosign sign --yes --key env://COSIGN_PRIVATE_KEY "ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}"
	env:
	COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

	- name: Attest the Image with SBOM
	run: \|
	echo "${{ env.PATCHED_TAG_SBOM }}"
	SBOM_FILE=$(find /tmp/sbom-action-* -name "${{ env.PATCHED_TAG_SBOM }}.spdx.json" -type f)
	echo "${SBOM_FILE}"
	if [ -z "$SBOM_FILE" ]; then
	echo "Error: .spdx file not found"
	exit 1
	fi
	cosign attest --yes --key env://COSIGN_PRIVATE_KEY --type spdx --predicate "${SBOM_FILE}" "ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}"
	env:
	COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}


	send-mail-report:
	runs-on: ubuntu-latest
	needs: immunize
	steps:
	- name: Checkout Repository
	uses: actions/checkout@v3

	- name: Download openvex reports
	uses: actions/download-artifact@v4

	- name: List files
	run : \|
	ls -lah

	- name: Send Mail Report
	run: \|
	python $GITHUB_WORKSPACE/send_mail_report.py
	env:
	EMAIL_RECIPIENTS: ${{ secrets.EMAIL_RECIPIENTS }}
	EMAIL_ADDRESS: ${{ secrets.EMAIL_ADDRESS }}
	EMAIL_PASSWORD: ${{ secrets.EMAIL_PASSWORD }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: test #135

Workflow file

ci: test #135

Jobs

Run details

Workflow file for this run